From 1485d72065081ff27628e95b3531b5687a17c45b Mon Sep 17 00:00:00 2001
From: Jack Levy <YOUR_GITEA_NOREPLY_EMAIL_HERE>
Date: Mon, 2 Mar 2026 11:26:35 -0500
Subject: [PATCH] docs: explain JWT_SECRET_KEY in .env.example

Authored-By: Jack Levy
---
 .env.example | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index acd088c..786ac49 100644
--- a/.env.example
+++ b/.env.example
@@ -5,7 +5,9 @@ LOCAL_URL=http://localhost
 PUBLIC_URL=
 
 # ─── Auth ──────────────────────────────────────────────────────────────────────
-# Generate a strong random secret: python -c "import secrets; print(secrets.token_hex(32))"
+# Signs and verifies JWT tokens. Anyone with this key can forge auth tokens,
+# so use a long random value in production and never commit it to git.
+# Generate: python -c "import secrets; print(secrets.token_hex(32))"
 JWT_SECRET_KEY=
 
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────